b"                UNITED STATES\n     CONSUMER PRODUCT SAFETY COMMISSION\n\n\n\n\n         OFFICE OF INSPECTOR GENERAL\n\nAUDIT OF THE GOVERNMENT PURCHASE CARD PROGRAM\n\n              Issued: August 27, 2012\n\x0c\x0c                                              TABLE OF CONTENTS\n\n\n\n\nEXECUTIVE SUMMARY ................................................................................................ 3\n   BACKGROUND ............................................................................................................ 5\n   OBJECTIVES ................................................................................................................. 5\n   SCOPE ............................................................................................................................ 6\n   METHODOLOGY ......................................................................................................... 6\nRESULTS AND FINDINGS .............................................................................................. 8\n   1.    Lack of Adherence to CPSC Policy and Procedures ............................................... 8\n   2.    Noncompliance with Laws and Regulations .......................................................... 10\n   3.    Lack of Proper Design, Implementation, and Effective Internal Controls ............ 11\n   4.    Accountable Property ............................................................................................ 15\nRECOMMENDATIONS .................................................................................................. 15\nMANAGEMENT RESPONSE......................................................................................... 16\nAPPENDIX A: MANAGEMENT\xe2\x80\x99S RESPONSE ........................................................... 17\nAPPENDIX B: OIG\xe2\x80\x99S RESPONSE TO MANAGEMENT ............................................. 18\n\n\n\n\n                                                                                                                                     2\n\x0c                              EXECUTIVE SUMMARY\n\n\nBACKGROUND\n\nThe U.S. Consumer Product Safety Commission (CPSC) Office of Inspector General\n(OIG) conducted a follow-up audit of the government purchase card (purchase card)\nprogram. This audit was conducted in accordance with Generally Accepted Government\nAuditing Standards (GAGAS). The purpose of our audit was to review purchase card\nactivity during fiscal year (FY) 2011, and management\xe2\x80\x99s remediation efforts regarding\nthe findings and recommendations issued in the purchase card audit conducted by\nWithumSmith + Brown (WS+B) in FY 2010. We reviewed applicable documentation to\ngain an understanding of the operations of the purchase card program and the internal\ncontrols that were in place for the purchase card program at the time of our audit. In\naddition, we identified applicable laws, regulations, policies, and procedures; and we\nevaluated the agency\xe2\x80\x99s compliance with these. Finally, we reviewed the FY 2010 CPSC\nPurchase Card Audit Report to determine whether management had taken timely\ncorrective actions based on the report\xe2\x80\x99s findings and recommendations.\n\nRESULTS OF EVALUATION AND FINDINGS\n\nThis report covers the CPSC\xe2\x80\x99s purchase card program for FY 2011. Overall, we found\nthat the CPSC does have a functioning purchase card program in place; however, despite\ndirection from the Chairman of the agency, management officials have not taken timely\ncorrective action to address the deficiencies found in the 2010 audit. We found that the\nprogram still has a number of internal control weaknesses and does not comply with a\nnumber of the policies and procedures governing the purchase card program. Our\nfindings regarding these issues include the following:\n\n   1. Lack of Adherence to CPSC Policies and Procedures:\n      The CPSC does not follow its policies and procedures related to performing\n      timely reviews and updates to the CPSC Directive, 1540.1 \xe2\x80\x93 Government-wide\n      Commercial Purchase Card program and the related Directive, 1540.1a -\n      Appendix A, Government-wide Commercial Purchase Card Handbook. No one\n      has updated the directive since 2004. In addition, neither the Division of\n      Financial Services (FMFS), nor the Division of Procurement Services (FMPS)\n      performed a proper annual review of the purchase card program, as required by\n      CPSC Directive 1540.1. The last review of the program by FMFS or FMPS took\n      place during FY 2009, and that review did not follow the policies and procedures\n      in CPSC Directive 1540.1.\n\n   2. Noncompliance with Government-Wide Policies and Procedures:\n      The CPSC does not comply with various government-wide regulations associated\n      with the purchase card program. We noted failures to comply with the following\n      regulations:\n\n\n\n                                                                                       3\n\x0c           a) Management did not complete audit remediation efforts properly in\n              accordance with OMB Circular A-50, Audit Follow-Up;\n           b) FMFS did not follow properly the guidelines for purchase card recovery\n              procedures and internal controls set out in OMB Circular A-123,\n              Management\xe2\x80\x99s Responsibility for Internal Control, including Appendix B,\n              Improving the Management of Government Charge Card Programs;\n           c) The CPSC had multiple cardholders who initiated split purchases. Instead\n              of detecting and correcting these purchases, Approving Officials (AO)\n              authorized the purchases, which does not comply with Federal\n              Acquisition Regulation (FAR) Part 13, Simplified Acquisition Procedures.\n\n   3. Lack of Properly Designed, Implemented, and Effective Internal Controls:\n\nInternal controls are processes designed to provide reasonable assurance regarding the\nachievement of objectives in the following categories: (a) Effectiveness and efficiency of\noperations; (b) Reliability of financial reporting; and (c) Compliance with laws and\nregulations. Therefore, in our assessment of P-card internal controls, we first determined\nwhether the internal controls were created (designed) and placed into operation\n(implemented). Based on the initial assessment of internal controls, we able to determine\nwhether controls placed into operation, were in fact, performed by those involved in the\nprogram (operating effectiveness). The results of the evaluation, found that the purchase\ncard program lacks adequate internal controls. Problems were found with the design,\nimplementation, and/or effectiveness of the internal controls tested. We identified\ninternal control weaknesses in multiple areas of the purchase card program, including the\nfollowing:\n\n           a) FMFS established internal controls that enabled circumvention by the\n              cardholders and AOs, leading to the inconsistent use of the controls and\n              creating an overall weak internal control environment;\n           b) Cardholders and AOs are not following the internal control guidance\n              provided by FMFS;\n           c) Without authorization, one office within the CPSC created its own\n              internal control structure separate and distinct from the one administered\n              by FMFS;\n           d) The internal controls in place failed to detect or prevent the\n              improper/unallowable purchases of certain goods and services; and\n           e) The internal controls in place failed to detect or prevent the improper\n              approval or execution of purchases exceeding the micro-purchase limit.\n\n   4. Accountable Property:\n      Property purchased using the purchase card is not being properly accounted for;\n      nor is it being entered into the CPSC\xe2\x80\x99s Property Management System (PMS) in a\n      timely manner.\n\n\n\n\n                                                                                           4\n\x0cMANAGEMENT\xe2\x80\x99S RESPONSE\n\nOverall, management concurred with all of our findings and recommendations, with the\nexception of those related to the purchase of three Apple iPad 2s with the government\npurchase card (Finding 3d above). This finding resulted from the CPSC\xe2\x80\x99s inability to\nproduce documentation supporting the existence of a legitimate government need for the\npurchase, plus the purchase\xe2\x80\x99s violation of CPSC Directive 1540.1\xe2\x80\x99s prohibition on the\npurchase of telecommunications supplies. Further, no one accounted for these items\nproperly in the CPSC PMS until after their discovery by the OIG (Finding 4 above). See\nmanagement\xe2\x80\x99s full response to these audit findings at Appendix A. Also, see the OIG\xe2\x80\x99s\nresponse to management\xe2\x80\x99s response at Appendix B.\n\n                                  INTRODUCTION\n\nBACKGROUND\n\n\nThe General Services Administration (GSA) developed the Government-Wide\nCommercial Purchase Card program to promote the use of the government purchase card\nby federal agencies. GSA intended the purchase card program to streamline federal\nagency acquisition processes by providing a low-cost, efficient vehicle for obtaining\ngoods and services directly from vendors. The CPSC, which is subject to the FAR,\npromulgates its purchase card policies and procedures through a directive and handbook.\nThe Government Accountability Office (GAO) has reviewed purchase card programs for\nmany years and issued reports highlighting weaknesses that expose agencies to\nfraudulent, improper, and abusive purchases and losses of assets. Some of the common\ndeficiencies cited by GAO include:\n\n   \xe2\x80\xa2 Failure to authorize purchases properly;\n   \xe2\x80\xa2 Failure to document independent receipt and acceptance; and\n   \xe2\x80\xa2 Inability to account for easily pilfered goods obtained with purchased cards.\n\nThe use of the purchase card benefits the government by saving time, money, and\nresources. FAR Part 13.301 authorizes the use of the purchase card to make \xe2\x80\x9cmicro-\npurchases.\xe2\x80\x9d FAR Part 2.101 sets the micro-purchase threshold at $3,000 for most items;\nhowever, the CPSC\xe2\x80\x99s purchase card micro-purchase limit is currently set at $2,500.\n\nOBJECTIVES\n\nThe primary objective of this audit was to assess the CPSC\xe2\x80\x99s remediation efforts\nregarding the findings and recommendations from the FY 2010 Purchase Card Audit\nconducted by WS+B. The prior WS+B audit identified internal control and compliance\ndeficiencies within the CPSC\xe2\x80\x99s purchase card program. Thus, we expanded our primary\naudit objective to the following:\n\n\n\n\n                                                                                         5\n\x0c   1. To determine and assess the adequacy of the remediation efforts made by the\n      CPSC regarding the audit findings and recommendations from the FY 2010\n      Purchase Card Audit conducted by WS+B.\n   2. To conduct an evaluation of the CPSC\xe2\x80\x99s current purchase card program\xe2\x80\x99s internal\n      controls structure to determine whether internal controls have been designed and\n      implemented appropriately and are operating effectively to ensure that purchase\n      card program objectives are met.\n   3. To evaluate the CPSC\xe2\x80\x99s compliance with the federal laws, regulations, and\n      provisions governing the purchase card program.\n\nSCOPE\n\nThis audit covers purchase card transaction activity during FY 2011 (October 2010 to\nSeptember 2011), as administered by the Office of Financial Management, Planning, and\nEvaluation (EXFM) at CPSC headquarters in Bethesda, MD. During the audit scope, the\nCPSC had approximately 169 cardholders and $1,311,088.95 in net purchases. All\npurchase cardholders at CPSC headquarters and field locations throughout the United\nStates were included in the scope of the audit. Audit fieldwork took place from January\n2012 through March 2012.\n\nMETHODOLOGY\n\nWe conducted this audit in accordance with Generally Accepted Government Auditing\nStandards (GAGAS). Those standards require that we plan and perform the audit to\nobtain sufficient, appropriate evidence to provide a reasonable basis for our findings and\nconclusions based on our audit objectives. We believe that the evidence obtained\nprovides a reasonable basis for our findings and conclusions based on our audit\nobjectives.\n\nTo accomplish our audit objectives, we obtained an understanding of the CPSC purchase\ncard program to include the design, implementation, and operating effectiveness of\ninternal controls, compliance with CPSC governing policies and procedures, and\ncompliance with applicable federal laws, regulations, and provisions. Furthermore, to\nassess the control environment, we also gained an understanding of the CPSC\xe2\x80\x99s\nremediation efforts from the prior FY 2010 Purchase Card Audit findings. To obtain this\nunderstanding, we conducted interviews with key EXFM personnel, performed\nwalkthroughs of the CPSC purchase card internal controls and execution of policies and\nprocedures, inspected relevant supporting documentation, and examined purchase card\ndata and reports from the contracted vendor, U.S. Bank.\n\nBased on the information gathered, we identified specific risks and opportunities for\nfraudulent, improper, or abusive purchases within the CPSC's program, and then we\ndetermined what key control activities were in place to prevent or detect such\noccurrences. Additionally, we performed a preliminary assessment of whether the\ncontrols were likely to be effective, and we identified any control design inefficiencies\nbased on the control process. As a result of the preliminary assessment, we designed the\n\n                                                                                             6\n\x0caudit procedures (test of controls) to assess the internal controls\xe2\x80\x99 operating effectiveness,\nto review specific attributes of the program, and to determine compliance with the\nidentified laws, regulations, and provisions governing the program.\n\nIn order to perform our audit procedures at the transactional level, we obtained a\npopulation of purchase card transactions from the U.S. Bank System and verified the\ncompleteness of the population by comparing the population totals to master bank\nstatements for the audit period. However, the U.S. Bank statement cycle close is mid-\nmonth for transactions; thus, our sampled items were selected from the period September\n17, 2010 through September 16, 2011. As such, this period includes a universe of 5,717\ntransactions totaling a net amount of $1,311,088.95. However, given the different\nattributes surrounding credit (refund) transactions, we deemed it appropriate to extract\nand test credit transactions as a separate sample. The separate credit transactions\nextracted totaled 203 items amounting to $34,513.\n\nTo determine which transactions to review, we developed a dual-purpose sample to\nincrease the efficiencies of audit procedures. The dual-purpose sample allowed for the\ntesting of internal control effectiveness and the testing of the completeness and accuracy\nof transactions simultaneously. As such, we developed the dual-purpose sample using a\nMonetary Unit Sampling (MUS) approach. This approach resulted in a statistical sample\nof 64 purchase card transactions drawn from a universe of 5,695 transactions (based on a\n95 percent confidence level ((reliability)), and had an expected error rate of 5 percent.)\n\nUsing the dual-purpose sample, we were able to perform additional procedures for the\nreview of specific attributes. For each specific attribute, we extracted transactions from\nthe dual-purpose sample that met that attribute for the related auditing procedures (see the\nchart below for specific attribute samples). As such, for any of the selected transactions\nthat were identified as \xe2\x80\x9cpurchases of easily pilfered goods,\xe2\x80\x9d we performed additional\nprocedures to verify that the goods still existed, could be located, and were being used for\ngovernment purposes. In addition to the dual-purpose sample, we performed audit\nprocedures over key control elements related to the training of cardholders and approving\nofficials, card limits (single purchase and monthly), and purchasing and reviewing\nauthorities, as well as tests to determine if the purchase card program was in compliance\nwith the appropriate regulations. After completion of our control testing, the results were\nanalyzed, summarized, and projected (Dual-Purpose sample only).\n\n\n\n\n                                                                                            7\n\x0cSum m ary of Additional Sam ples\n\n                                                                                                     Total\n          Sam ple                Type                            Description                     Transactions\n\nMUS (Dual Purpose)             Statistical      Random sample of transactions                           64\n\n\n                                                Tw o or more transactions made to the same\nSplit Purchase             Specific Attribute   vendor, re-occurring in a short period of time          48\n\n                                                Individual purchases over the micro-purchase\nOver Micro Limit           Specific Attribute   limit of $2,500                                         7\n\nCredits                    Specific Attribute   Credit transactions selected for review                 10\n\nRounded Amounts            Specific Attribute   Round dollar amounts                                    9\n\n                                                Property Purchases and proper recording of the\nAccountable Property       Specific Attribute   asset                                                   5\n\n\n\n\n                                    RESULTS AND FINDINGS\n\n1. Lack of Adherence to CPSC Policy and Procedures\n\nThe Office of Financial Management (FMFS) does not comply with its own internal\npolicies and procedures regarding the operation and monitoring of the CPSC purchase\ncard program. They also neglect to update their written policies and procedures to reflect\nchanges made to the purchase card program\xe2\x80\x99s operations.\n\nDuring our review of the CPSC Directive 1540.1, Government-wide Purchase Card\nprogram, and its Appendix 1540.1a, Purchase Card Handbook, we noted that both\ndocuments were inconsistent with the current internal control structure and operations of\nthe purchase card program at the CPSC. We noted the following issues:\n\n    \xe2\x80\xa2      In FY 2011, FMFS modified the purchase card program\xe2\x80\x99s processes and internal\n           controls. FMFS communicated these modifications to CPSC employees and\n           documented them in a training presentation provided to attendees/cardholders.\n           FMFS did not, however, update the purchase card program directive to reflect\n           these changes. As written, the current directive and handbook fail to reflect the\n           purchase card program internal controls currently used by the CPSC. The last\n           update to the Directive was made on December 1, 2004 and the Handbook was\n           last updated on November 3, 2003.\n\n\n\n\n                                                                                                    8\n\x0c   \xe2\x80\xa2   As previously noted, WS+B conducted a CPSC purchase card audit during FY\n       2010 covering the audit period of December 2008 through December 2009.\n       WS+B issued the results of the audit to management on October 6, 2010, with\n       recommendations to update the CPSC Directives to address specific internal\n       control weaknesses identified during the audit. As of the start of FY 2011, FMFS\n       had prepared an internal draft update to the handbook, dated July 2011, but no\n       other updates or finalizations had occurred.\n\nInconsistencies found between how FMFS operated the purchase card program and how\nthe CPSC\xe2\x80\x99s policies and procedures state the purchase card program is to operate include\nthe following:\n\n   \xe2\x80\xa2   FMFS is required to perform an annual review of the purchase card program\n       using the GSA\xe2\x80\x99s Blueprint for Success: Purchase Card Oversight Guide. The\n       annual review should include an assessment of the CPSC\xe2\x80\x99s purchase card\n       program: policies, training requirements, delegations of authority, integrity of the\n       purchase process, compliance with procurement regulations, receipt and\n       acceptance procedures, records retention, and handling of inactive accounts. The\n       Procurement Division (FMPS), under the direction of FMFS, conducted the last\n       review of the purchase card program, which took place in FY 2009. That review\n       did not use the GSA Blueprint for Success, as required by CSPC Directive\n       1540.1. In their audit, WS+B found the review performed to be inadequate and\n       recommended that future reviews be performed using the GSA Blueprint for\n       Success\n\n       Per our discussion with FMFS management regarding annual reviews, the reason\n       they did not conduct annual reviews is that FMFS management considered the\n       WS+B audit performed in FY 2010 and the OIG audit currently underway, as\n       reviews that FMFS could rely upon to monitor the program. This interpretation,\n       however, is not consistent with CPSC directive 1540.1, which explicitly requires\n       that FMFS perform an annual review using the GSA\xe2\x80\x99s Blueprint for Success:\n       Purchase Card Oversight Guide as the basis for the review.\n\nRegarding CPSC Directive 1540.1a (Purchase Card Handbook), we identified the\nfollowing contradiction between policy and practice:\n\n   \xe2\x80\xa2   The CPSC Purchase Card Handbook, as well as the training guidance provided by\n       FMFS to cardholders and AOs in FY 2011, states: \xe2\x80\x9cIf an individual no longer\n       needs a card because of a change in duties, transfer, separation, etc., the\n       Approving Official must immediately notify FMFS to cancel the card and then\n       must destroy the card. Cards may not be retained as \xe2\x80\x98souvenirs.\xe2\x80\x99 Cardholders\n       must also turn over to the Approving Official all unbilled purchase card purchase\n       requests and all files pertaining to the use of the card.\xe2\x80\x9d\n\n\n\n\n                                                                                          9\n\x0c       FMFS does not comply with its own policy. It has not required the subject\n       cardholder\xe2\x80\x99s AO to take responsibility for the cancellation of the cardholder\xe2\x80\x99s\n       purchase card. Instead, FMFS is taking the purchase cardholders at their word\n       and trusting them to dispose of the card properly without any independent\n       verification. Further, the guidance above is not clear about whether the ultimate\n       responsibility for canceling the card rests with the AO or FMFS. In either case,\n       the cardholder is not the individual authorized to dispose of the card.\n\n2. Noncompliance with Government-Wide Policies and Procedures:\n\nThe CPSC does not comply with the following regulations governing the purchase card\nprogram:\n\n   a) OMB Circular A-50, Audit Follow-Up. FMFS and FMPS management did not\n      comply with the audit follow-up guidance set forth in OMB Circular A-50. This\n      guidance requires FMFM and FMPS to take corrective action on audit\n      recommendations within 6 months of the agency receiving the final audit report.\n      The agency received the final audit report regarding the FY 2010 Purchase Card\n      Audit performed by WS+B on March 31, 2011.\n\n       The CPSC Chairman, in a letter dated April 20, 2011, directed agency\n       management to send the Chairman\xe2\x80\x99s office and the OIG a status report concerning\n       their implementation of the recommendations set out in the WS+B audit report\n       within 30 days of their receipt of the letter.\n\n       At the start of our audit fieldwork (January 20, 2012), FMFS management\n       indicated that a Corrective Action Plan (CAP) had not been submitted to the OIG,\n       Executive Director, and/or Chairman to address the audit recommendations from\n       the FY 2010 audit by WS+B. Ultimately, the final CAP for the FY 2010\n       Purchase Card Audit recommendations was not finalized until February 22, 2012.\n\n       OMB Circular A-123, Management\xe2\x80\x99s Responsibility for Internal Control. OMB\n       Circular A-123 states that agency management is responsible for establishing and\n       maintaining internal controls to achieve the objectives of effective and efficient\n       operations, reliable financial reporting, and compliance with applicable laws and\n       regulations. We found many areas in which internal controls were designed\n       inappropriately and/or were not effective at meeting the objectives of the CPSC\n       purchase card program. These controls also failed to prevent and correct errors.\n       See further discussion related to the \xe2\x80\x9cLack of Proper Design, Implementation, and\n       Effective Internal Controls\xe2\x80\x9d section below.\n\n       OMB Circular A-123, Appendix B, Improving the Management of Government\n       Charge Card programs. FMFS\xe2\x80\x99s purchase card recovery procedures do not\n       comply with OMB Circular A-123 Appendix B. OMB Circular A-123, Appendix\n       B, Section 2.3, provides agencies guidance on the \xe2\x80\x9crequired elements\xe2\x80\x9d of an\n       agency\xe2\x80\x99s charge card management plan. It requires the agency to recover\n\n                                                                                       10\n\x0c        purchase cards from all employees who terminate their employment with the\n        agency. FMFS does not recover purchase cards from all employees who\n        terminate their employment with the agency. We noted that FMFS lacked a\n        consistent process for recovering purchase cards from cardholders who leave the\n        agency. During our discussion with FMFS regarding the process used to recover\n        purchase cards when employees separate or are terminated from the agency,\n        FMFS indicated that some employees bring the card to FMFS upon separating\n        from the CPSC and at other times, the cardholder disposes of the card on their\n        own and gives notice of this fact to FMFS.\n\n    b) Federal Acquisition Regulation (FAR) Part 13- Simplified Acquisition\n       Procedures. The Federal Acquisition Regulation (FAR) designates the purchase\n       card as the preferred method for making micropurchases. At the time of our\n       audit, a \xe2\x80\x9cmicropurchase\xe2\x80\x9d was defined as any purchase equal to or under $2,500. 1\n       Cardholders are authorized explicitly to make purchases of up to $2,500.00 but\n       should not use the card for purchases above the $2,500 threshold. During our\n       review of purchase card transactions, we identified 24 split purchase transactions\n       made by the Office of Facilities, 5RP (the Lab), and the Office of Information\n       Technology (EXIT). These transactions were identified as split purchases, as\n       these purchases were made to the same vendor, on the same day, or within a short\n       timeframe up to a few months, totaling amounts in excess of the micro-purchase\n       limit of $2,500. In further analysis of these transactions, many of these split\n       purchases, when aggregated throughout the year, resulted in amounts in excess of\n       $7,000. These purchases consisted mainly of goods and services that should have\n       been acquired through a Blanket Purchase Agreement (BPA) due to the repetitive\n       nature and dollar amount of the purchase.\n\n2. Lack of Proper Design, Implementation, and Effective Internal Controls\n\nManagement was aware from a prior audit of a number of weaknesses in its existing\ninternal controls over the purchase card program. As such, at the time of this audit, they\nwere in the process of finalizing new internal controls in the form of a draft directive and\nhandbook. At management\xe2\x80\x99s request, we reviewed this draft agency guidance rather than\nthe existing guidance, which all parties acknowledged needed to be revised.\n\na) Review Over Internal Controls\n\n    Throughout the CPSC purchase card program, we identified that internal controls\n    implemented by FMFS are insufficiently designed and/or are not operating effectively\n    to prevent and correct errors and misuse. The reasons for these deficiencies are\n    ineffective communication of the internal control structure to cardholders and their\n    respective AOs and the previously noted inconsistencies between actual operations\n    and the agency\xe2\x80\x99s written policies and procedures.\n\n1\n Micropurchase means an acquisition of supplies or services using simplified acquisition procedures, the\naggregate amount of which does not exceed the micropurchase threshold, except for construction or in\nother specific instances.\n\n                                                                                                       11\n\x0cWe identified weaknesses in the following areas:\n\n\xe2\x80\xa2   Approval from the Funds Controller is required prior to a purchase being made\n    by the cardholder (Directive 1540.1a\xc2\xa74a (3) DRAFT July 2011). The Funds\n    Controller is responsible for ensuring the funds are available prior to the purchase\n    and obligated properly. However, when an employee is not only the cardholder,\n    but also the Funds Controller for their office, a situation that exists in a number of\n    offices, there is currently no specific guidance on what the employee should do.\n    Thus, this creates a lapse in the operation of the internal control. We identified 38\n    instances in which the cardholders did not obtain approval from the Funds\n    Controller prior to the purchase. The majority of these instances occurred in\n    offices where the cardholders also functioned as their respective office\xe2\x80\x99s Funds\n    Controllers. In addition, the Office of Compliance and Field Investigations (CFI)\n    determined arbitrarily that when dealing with amounts of $200 or less, they do not\n    have to comply with this internal control. This decision overrides the internal\n    control established by FMFS, which requires Funds Controller approval for all\n    purchases, regardless of amount.\n\n\xe2\x80\xa2   Documentation on cardholder order/purchase log for the transaction (Directive\n    1540.1a\xc2\xa74a (3) DRAFT July 2011). We identified 11 instances in which\n    cardholders were not properly using an order log to record their purchase card\n    purchases. Furthermore, some cardholders did not record the final amount paid\n    on the order log and instead used the amounts initially quoted by the vendor.\n\xe2\x80\xa2   AO Approval on the order log before the purchase is made (Directive 1540.1a\xc2\xa74a\n    (3) DRAFT July 2011). We found that this control was not communicated\n    properly to cardholders and AOs during the FY 2011 training conducted by\n    FMFS. Based on an inquiry among cardholders, some did not understand when\n    and how to execute this control. We identified 12 instances in which the\n    cardholders did not have the required AO approval and a number of other\n    instances in which AO approval was obtained but not documented on the order\n    log.\n\n\xe2\x80\xa2   Cardholder Retains a copy of the approved statement, order log, and all charges\n    and credit card slips for inclusion in the procurement file (Directive 1540.1a\xc2\xa78a\n    (9) DRAFT July 2011). We found 12 instances in which the cardholders did not\n    retain their invoice or receipt for purchases, or did they keep their AO-approved\n    statements.\n\n\n\n\n                                                                                       12\n\x0c   \xe2\x80\xa2   Independent receipt by a third party for purchases (Directive 1540.1a\xc2\xa78b DRAFT\n       July 2011). Based on discussions with FMFS, FMFS management deemed this\n       internal control to be impractical for the Field Investigation cardholders;\n       therefore, these cardholders received an exemption from this internal control.\n       Further weakening this control is the fact that, as drafted, it allows individual\n       cardholders to use their discretion about when the control is to be performed. As\n       currently designed, this internal control is only applicable to personnel assigned at\n       the CPSC headquarters and when deemed \xe2\x80\x9cpractical.\xe2\x80\x9d We identified six instances\n       where independent receipt by a third party was not performed.\n\n   \xe2\x80\xa2   Cardholder certification of purchases on the bank statements are to be signed and\n       dated (Directive 1540.1a\xc2\xa78a (5) DRAFT July 2011). We identified 22 instances\n       in which cardholders did not certify and/or date their statements.\n\n   \xe2\x80\xa2   The appropriate and assigned AO signs the US Bank Statement (Directive\n       1540.1a\xc2\xa73e DRAFT July 2011). We found five instances where a cardholder did\n       not have the appropriate AO approval on the statement, the AO did not date the\n       statement upon approving, and/or the AO approved the statements before the\n       cardholder had certified them.\n\n   \xe2\x80\xa2   Sales Tax being recouped when charged (Directive 1540.1a \xc2\xa76 DRAFT July\n       2011). We found five instances where the cardholders incurred sales tax on their\n       charges and did not recoup the money from the vendor.\n\nb) Override of control\n\n   We further note that telecommunication services, which are a type of purchase that is\n   explicitly not authorized to be made with the purchase card (Directive 1540.1\xc2\xa711\n   (December 1, 2004), were being purchased by cardholders. We also found that a\n   cardholder circumvented the purchase card process controls to make a purchase that\n   was to be paid by another organization.\nc) Internal Control Override in the Field Investigations Directorate\n\n   Without the knowledge or approval of FMFS staff or management, the Field\n   Investigations Directorate developed a separate process for using the purchase card\n   that contradicted agency policy and procedures. This process was developed despite\n   explicit guidance from the then-Chief Financial Officer (CFO) to the Field\n   Investigation Directorate to comply with existing agency purchase card policies and\n   procedures. Further, we obtained e-mail sent to Field Investigations Directorate\n   cardholders and AOs in response to the former CFO\xe2\x80\x99s guidance on purchase cards,\n   which instructed Field Investigations Directorate employees to continue with their\n   method of use for the purchase card program, even though it was against agency\n   policy. The following control overrides were identified:\n\n\n\n                                                                                         13\n\x0c   \xe2\x80\xa2   Cardholders did not need to obtain approval before purchase from Funds\n       Controllers for amounts less than $200;\n   \xe2\x80\xa2   Cardholders did not send their documentation and statement approvals directly to\n       the AO;\n   \xe2\x80\xa2   Cardholders did not retain a copy of the AO-approved statement; and\n   \xe2\x80\xa2   Cardholders are allowed to charge telecommunication services using their\n       purchase card.\n\nd) Improper/Unauthorized/Abusive Purchases\n\nOMB Circular A-123, Appendix B, Section 4.6, states that an \xe2\x80\x9cimproper purchase\xe2\x80\x9d is any\npurchase that should not have been made under statutory, contractual, administrative, or\nother legally applicable requirements. An improper purchase can be one of two types: (1)\nunauthorized, or (2) incorrect. An \xe2\x80\x9cunauthorized purchase\xe2\x80\x9d is defined as a purchase that\nis made intentionally and outside of the authority of the purchase cardholder. \xe2\x80\x9cAbusive\npurchases\xe2\x80\x9d are defined by the GAO as occurring \xe2\x80\x9c. . . where the conduct of a government\norganization, program, activity, or function fell short of societal expectations of prudent\nbehavior . . . examples of abusive purchases (include) where the cardholder (1) purchased\ngoods or services at an excessive cost (e.g., gold plated), or (2) purchased an item for\nwhich government need was questionable.\n\nWe identified the following improper purchases made in violation of the CPSC directive\ngoverning the use of the P-Card, which explicitly states that purchase cards cannot be\nused for any expense related to telecommunications:\n\n   \xe2\x80\xa2   Our initial review found two instances in which telecommunication services had\n       been purchased. Further analysis of the entire population of purchase card\n       transactions found 269 improper purchases of telecommunications services.\n\n   \xe2\x80\xa2   Three Apple iPad 2s with 3G and 64 GB capabilities (the most expensive\n       configuration sold at the time), each for $825.00, were purchased for use by the\n       three most senior management officials in the Office of Information and\n       Technology (EXIT). Management maintains that the iPad 2s were purchased to\n       meet a legitimate government need (testing the compatibility of the iPad 2s with\n       the CPSC\xe2\x80\x99s network) and that they did not constitute \xe2\x80\x9ctelecommunications\xe2\x80\x9d\n       devices, so their purchase did not violate the CPSC directive governing the use of\n       the purchase card. However, management also acknowledged that there was no\n       \xe2\x80\x9ctesting plan\xe2\x80\x9d or other documentary evidence to substantiate that the purpose for\n       which the iPad 2s were purchased was for \xe2\x80\x9ctesting\xe2\x80\x9d; nor did management explain\n       why the most expensive configuration had to be purchased rather than a less\n       expensive one. Similarly, there was no documentation to show the results of\n       whatever tests were performed. We further note that the iPad 2s were purchased\n       in July 2011, and were not properly accounted for by management within the\n       CPSC\xe2\x80\x99s Property Management System (PMS) until March 2012, after the failure\n       to account properly for them was brought to management\xe2\x80\x99s attention by this audit.\n       (See Appendixes A & B)\n\n                                                                                        14\n\x0ce) Improper Approval for Purchases Exceeding Micropurchase Limit\n\nTwo out of the seven samples we reviewed did not have proper approval for purchases\nexceeding the micro-purchase limit of $2,500.\n\n3. Accountable Property\n\nWe identified two instances in which property purchased using the purchase card was not\nproperly accounted for and timely entered into the property management system (PMS).\nThe PMS serves as the system of record to account for accountable and sensitive\nproperty, and without proper recording of the asset, such assets are susceptible to fraud\nand misuse. The noted items found included a label maker (received on 8/24/11) and\nthree iPad 2s (received on 7/21/11) entered into the PMS system only after our audit\nidentified their improper recording in March 2012.\n\n                                    CONCLUSION\n\nBased on the results and findings noted above, the CPSC has not complied with its or the\ngeneral federal government purchase card program regulations, policies, and procedures.\nMoreover, the CPSC\xe2\x80\x99s purchase card program has significant internal control\nweaknesses. We have discussed our recommendations with management. Management\nplans to take the proper action to remediate the issues noted and will implement policies\nand procedures to strengthen the program through the development of a CAP.\n\n                               RECOMMENDATIONS\n\nTo ensure that internal controls related to the CPSC\xe2\x80\x99s purchase card program are\neffective in mitigating the risk of abuse or fraud, we recommend that the Chairman of the\nU.S. Consumer Product Safety Commission direct the Chief Financial Officer to:\n\n   1. Update and finalize, with approval from the Chairman or Executive Director, the\n      CPSC purchase card Directive (1540) and associated Handbook (1540.1a) in the\n      near future in order to ensure compliance with program laws and regulations and\n      specifically to address:\n\n           a. Proper management approvals and when to obtain them in the process\n              (i.e., funds controller, AO);\n           b. Headquarters vs. Field Process;\n           c. Independent Receipt;\n           d. Definitions of unauthorized purchases;\n           e. Split Purchase Guidance;\n           f. Sales Tax Exemption;\n           g. Signing and Dating the US Bank Statements for cardholders and AOs;\n           h. Actual vs. Final prices recorded on the Order Log;\n           i. Safeguarding Accountable Property;\n\n                                                                                       15\n\x0c          j. Allowing Others to Use the Purchase Card; and\n          k. Approval of purchases over the Micro-Purchase limit.\n\n   2. Ensure that after the updated purchase card directive and handbook are finalized,\n      FMFS conducts mandatory internal training for all cardholders and AOs,\n      regardless of their participation in GSA training, to provide guidance on the\n      updated changes to the purchase card program contained in the directive and\n      handbook.\n\n   3. Devise and execute, at a minimum, an annual review for FMFS to perform over\n      the purchase card program to identify unusual or fraudulent purchases, and to\n      ensure cardholder and AO compliance with the program.\n\n   4. Revise the current purchase card Corrective Action Plan to incorporate the\n      findings and recommendations associated with the FY 2011 audit and perform the\n      necessary corrective actions in a timely manner.\n\n   5. Monitor assets purchased with the purchase card to ensure that cardholders\n      communicate properly with property custodians and that the purchased assets are\n      bar-coded and recorded in the PMS system.\n\n   6. We recommend that the Commission hold the certifying official personally liable\n      for the funds spent related to the purchase of the three Apple iPad 2s discussed\n      above in the amount of $2,480.00.\n\n   7. Perform continuous monitoring of the purchase card program throughout the\n      fiscal year to reduce the risk of noncompliance with laws and regulations.\n\n\n                           MANAGEMENT RESPONSE\n\nManagement concurred with all audit findings except one. Management did not concur\nwith the finding and recommendation related to the improper purchasing by EXIT of the\nApple iPad 2s. See Management\xe2\x80\x99s response to the audit finding at Appendix A. See\nOIG\xe2\x80\x99s response to Management\xe2\x80\x99s assertions at Appendix B.\n\n\n\n\n                                                                                      16\n\x0cAPPENDIX A: MANAGEMENT RESPONSE\n\n\n\n\n PAGE INTENTIONALLY LEFT BLANK\n\n\n\n\n                                  17\n\x0c       APPENDIX B: OIG\xe2\x80\x99S RESPONSE TO MANAGEMENT\xe2\x80\x99S RESPONSE\n\nDuring the course of the audit, we found that three Apple iPad 2s with 3G and 64 GB\ncapabilities had been purchased, each in the amount of $825.00, for use by the three\nsenior management officials in the Office of Information and Technology Services\n(EXIT). These purchases were viewed as improper (as they violated the CPSC directive\ngoverning the use of the purchase card), questionable (in terms of whether there was a\nlegitimate government need for the purchase), and there was a lack of documentation\nsupporting the government\xe2\x80\x99s decision to make the purchase. As a result, we issued a\nfinding that the purchase was improper, unauthorized, and abusive.\n\nManagement disagreed with this finding and the resulting recommendation that the\ncertifying official responsible for the purchase should be held personally liable for the\ngovernment funds expended. Management issued a lengthy response to our finding and\nrecommendation. After thoroughly reviewing management\xe2\x80\x99s response, for the reasons\nset out below, the finding and recommendation stand as originally issued.\n\nBoth OMB and GAO have issued guidance regarding what they view as improper,\nunauthorized, or abusive purchases.\n\nOMB Circular A-123, Appendix B, Section 4.6, defines an \xe2\x80\x9cimproper purchase\xe2\x80\x9d as, \xe2\x80\x9c. . .\nany purchase that should not have been made . . . under statutory, contractual,\nadministrative, or other legally applicable requirements. . . .\xe2\x80\x9d GAO Report 08-333 offers\na similar definition, \xe2\x80\x9c. . . those purchases that although intended for government use, are\nnot permitted by law, regulation, or government/agency policy.\xe2\x80\x9d\n\nOMB Circular A-123, Appendix B, further defines unauthorized purchases to \xe2\x80\x9c. . . consist\nof items that are intentionally purchased and are outside of the cardholder\xe2\x80\x99s purchasing\nauthority. For instance, using a government charge card to purchase a tennis racket is an\nunauthorized purchase.\xe2\x80\x9d\n\nCPSC Directive 1540.1 governs the CPSC\xe2\x80\x99s purchase card program. This directive\ncontains a prohibition against CPSC employees using the purchase card to acquire\ntelecommunications services or supplies. Although, the directive contains no definition\nof the term \xe2\x80\x9ctelecommunication,\xe2\x80\x9d the most common definitions (Webster's Dictionary,\nWikipedia, etc.) refer to \xe2\x80\x9ccommunication at a distance\xe2\x80\x9d and \xe2\x80\x9ctechnology that deals with\ntelecommunication\xe2\x80\x9d with special reference to the Internet and social media. The subject\niPad 2s with 3G would appear to fall squarely within the prohibition contained in this\ndirective. 2 As such, their purchase, made without authority, violates the agency\xe2\x80\x99s\nregulation governing the use of the purchase card.\n\n2\n The CPSC\xe2\x80\x99s Office of the General Counsel has issued an opinion that comes to a contrary conclusion.\nDespite acknowledging: \xe2\x80\x9cThe telecommunication features of the iPad 2 include being able to \xe2\x80\x98run on a\nwireless network, a 3G cellular network, or third generation mobile telecommunications\xe2\x80\x99. . ., \xe2\x80\x9d they\nultimately concluded that the iPad 2 was not a telecommunications device for the purposes of this audit.\n(See the unsigned draft legal review attached to management response at Appendix 1.) The OIG is not\nbound by the reasoning of the OGC and does not find it persuasive in this matter.\n\n                                                                                                           18\n\x0cGAO Report 08-333 defines \xe2\x80\x9cabusive purchases\xe2\x80\x9d as follows: \xe2\x80\x9c. . . where the conduct of a\ngovernment organization, program, activity, or function fell short of societal expectations\nof prudent behavior . . . examples of abusive purchases (included) where the cardholder\n(1) purchased goods or services at an excessive cost (e.g., gold plated), or (2) purchased\nan item for which government need was questionable.\xe2\x80\x9d\n\nThe \xe2\x80\x9cstarting price\xe2\x80\x9d of an iPad 2 in 2011, according to the Apple website, was $499.00.\nThe iPad 2 comes in 16GB, 32 GB, and 64 GB configurations. The configuration\npurchased by the CPSC was the most expensive or \xe2\x80\x9cgold plated\xe2\x80\x9d model. In its response,\nmanagement has stated that this configuration was necessary to meet the needs of the\ninvestigators to whom it might be issued. No explanation or documentation was ever\nprovided regarding how it was determined that the investigators in question needed those\nspecific requirements. Similarly, no explanation was made as to why the agency\xe2\x80\x99s testing\nof \xe2\x80\x9cdevice management tools and device integration,\xe2\x80\x9d the original rationale given for the\npurchase (see below), would require more than 16GB of storage capacity.\n\nWhen we inquired about why EXIT made the purchase (i.e., querying what government\nneed was the purchase made to address?), EXIT management stated that the iPad 2s were\nbeing used to perform \xe2\x80\x9cinformal market research on device management tools and device\nintegration.\xe2\x80\x9d However, when we requested a copy of the test plan or the results of the\nanalysis or research performed, to date, EXIT management indicated that there was no\ndocumentation of either. This raises questions regarding the validity of the justification\nfor purchasing the assets, which had been in EXIT\xe2\x80\x99s possession for almost a year prior to\nthe audit, apparently with no documented research or analysis performed.\n\nIn Management\xe2\x80\x99s response to the finding, we noted that Management stated EXIT was\nperforming \xe2\x80\x9cother types of reviews\xe2\x80\x9d on the products, as well as \xe2\x80\x9cStaff met with several\nvendors to determine how they have addressed security requirements . . .\xe2\x80\x9d However, none\nof the reviews and/or discussions have been documented and provided to the OIG for\nreview. Although, Management asserts that the purchase of the iPad 2s by the agency is\n\xe2\x80\x9cjustifiable by the business needs of the agency,\xe2\x80\x9d there is no documentation to support\nthis position.\n\nAlso troubling is the fact that the three iPad 2s were received by EXIT on July 21, 2011,\nbut as of March 1, 2012, the iPad 2s had not been entered into the Property Management\nSystem (PMS). Thus, for more than 6 months, the iPad 2s remained unaccounted for by\nthe agency. Although, Management stated in its response that the items were \xe2\x80\x9cassigned\nbarcodes on September 20, 2011 (one iPad 2) and September 28, 2011 (two iPad 2s),\xe2\x80\x9d\nthis does not establish that on those dates EXIT properly accounted for the items. The\nbar-coded asset actually must be entered into the PMS to be accounted for properly.\n\xe2\x80\x9cAssigning\xe2\x80\x9d a barcode or physically attaching the barcode sticker to an asset is not a\nproper process for recording an asset; nor does simply placing the barcode sticker on\nproperty mean the purchaser has accounted for the property. Until the barcode sticker\nand the item are \xe2\x80\x9cmarried together\xe2\x80\x9d within the property management system, there is no\naccountability for the asset.\n\n                                                                                        19\n\x0cIn addition, the OIG obtained an e-mail on March 6, 2012, from the cardholder who\npurchased the iPad 2s, stating: \xe2\x80\x9c. . . the equipment was not tagged but it seems they were\ntagged in November 2011.\xe2\x80\x9d Thus, this adds a third possible date suggesting when the\nprocess began of accounting for the iPad 2s. The confusion about when the placement of\nthe \xe2\x80\x9cbar code stickers\xe2\x80\x9d on the iPads occurred underscores the fact that there is no accurate\nmethod to determine if, and when, tagging an asset occurs, unless the purchaser properly\nenters the asset into the PMS system of record. These types of sensitive and expensive\ntelecommunication devices that are highly susceptible to theft should have been properly\nbarcoded and entered into the PMS by the property custodian, and transferred and\naccepted within the PMS in a timely manner by the senior management personnel to\nwhom they were issued.\n\nBased on the current agency directive governing the purchase card program, the lack of\ndocumentation provided by management, along with the definitions provided by OMB\nand GAO, we find that the purchase of the iPad 2s was improper (it was in violation of\nCPSC Directive 1540.1), unauthorized (it was an intentional purpose that was outside of\nthe cardholders purchasing authority), and abusive (the purchase fell short of societal\nexpectation, both in terms of excessive cost and questionable need). The lack of\ndocumentation supporting government need, the lack of documentation regarding to what\nlegitimate use the iPad 2s were put, and the failure to log the iPad 2s into the PMS\nproperly, potentially could create the perception that the purchase may have been for a\nfraudulent purpose (personal use).\n\nThe original finding and recommendation stand, as written. The official who\napproved/certified the purchase of the iPad 2s should be held personally financially liable\nfor the full amount of the unauthorized purchase. Under 31 U.S.C. Sec. 3528, the\ncertifying official who signs the voucher is responsible for the existence and correctness\nof the facts cited in the certificate, voucher, or supporting papers. In addition, the\ncertifying official is responsible for the legality of the proposed payment and is liable for\nany illegal, improper, or incorrect payment resulting from any false, inaccurate, or\nmisleading certification he or she makes, as well as for any payment prohibited by law, or\nthat did not represent a legal obligation. As discussed previously, the purchase of the\niPad 2s was improper and unauthorized because it violated the CPSC\xe2\x80\x99s directive\ngoverning the purchase card program.\n\n\n\n\n                                                                                          20\n\x0cManagement\xe2\x80\x99s Response to the Office of the Inspector\nGeneral\xe2\x80\x99s Notice of Finding and Recommendation,\nFinding #11, Improper Purchase, CPSC FY 2011\nPurchase Card Review Audit\n\nManagement disagrees with the OIG finding that the purchase of the three iPad 2s was\nimproper, unauthorized, and abusive, according to OMB Circular A-123 and GAO Report 08-333.\nManagement accepts the recommendation that an oversight program be established in the\nDivision of Financial Services (FMFS); however, given that the purchase of the iPad 2s was\nproper, an oversight program would not have identified the purchase as improper. Management\nagrees that the iPad 2s should have been entered into the Property Management System in a\ntimelier manner and is reviewing its standard operating procedures to correct that issue.\n\nPurchase Was Not Improper or Unauthorized\n\nThe Office of Management and Budget (OMB) and the Government Accountability Office (GAO)\nprovide definitions of improper purchases. According to OMB Circular A-123, an improper\npayment is \xe2\x80\x9c. . . any purchase that should not have been made . . . under statutory, contractual,\nadministrative, or other legally applicable requirements.\xe2\x80\x9d The GAO Report 08-333 defines\nimproper transactions as purchases that \xe2\x80\x9care not permitted by law, regulation, or\ngovernment/agency policy.\xe2\x80\x9d The CPSC\xe2\x80\x99s administrative requirements and agency policy relating\nto this purchase are set in CPSC Directive 1540.1, Government Commercial Purchase Card\nProgram. Considering these guidance documents and relevant agency policy, the CPSC\xe2\x80\x99s Office\nof the General Counsel (\xe2\x80\x9cOGC\xe2\x80\x9d) determined that \xe2\x80\x9cthe purchase of the iPads is not prohibited [by\nthe CPSC directive], and thus, the purchases were not improper under the criteria established in\nOMB Circular A123, appendix B.\xe2\x80\x9d 1 OGC also found that the purchases \xe2\x80\x9cwere appropriately\nauthorized under the OMB Circular.\xe2\x80\x9d 2 Based on OGC\xe2\x80\x99s legal determinations, as well as\nManagement\xe2\x80\x99s own understanding of the relevant guidance documents and agency policies,\nManagement believes the purchase of the iPad 2s was not improper, unauthorized or abusive.\n\nAn iPad 2 is a tablet computer that performs traditional computer hardware functions and also\ncontains many telecommunications features. While the directive prohibits the use of a purchase\ncard to purchase a telecommunication device, it permits the use of a purchase card to purchase\ncomputer hardware. The traditional computer hardware functions of the iPad 2 include\nallowing \xe2\x80\x9can employee to access files, edit documents, create forms, take notes, create invoices,\nanalyze reports, brainstorm ideas, and create presentations.\xe2\x80\x9d 3 The telecommunication features\nof the iPad 2 include being able to \xe2\x80\x9crun on a wireless network, a 3G cellular network, or third\ngeneration mobile telecommunication.\xe2\x80\x9d 4 The hybrid nature of the device means it \xe2\x80\x9cdoes not fall\n\n1\n  May 29, 2012 memorandum from Pamela L. Brinker to Kenneth R. Hinson, Purchase Card Use for iPads,\n  at 1 (Attachment A) (\xe2\x80\x9cOGC memo\xe2\x80\x9d).\n2\n  Id.\n3\n  Id. at 2.\n4\n  Id.\n\n                                                 1\n\x0csquarely into the definition of either computer hardware or a telecommunication device.\xe2\x80\x9d 5 In\nlight of these factors, the Office of the General Counsel concluded that \xe2\x80\x9cthe use of the purchase\ncard to purchase these devices [was] not expressly prohibited by CPSC Directive 1540.1, as\nwritten.\xe2\x80\x9d 6\n\nIn light of the legal finding that the purchase of the iPads was not outside of the cardholder\xe2\x80\x99s\npurchasing authority proscribed by the CPSC directive, there can be no unauthorized purchase\npursuant to OMB guidance. 7 Accordingly, the purchase of the iPads was not unauthorized\npursuant to the OMB Circular. 8 Further, since the purchase was not unauthorized, the purchase\nwas also not an improper purchase under the OMB Circular.\xe2\x80\x9d 9\n\nAlthough Management finds that the purchase of the iPad 2s was not improper or unauthorized,\nit is apparent that CPSC\xe2\x80\x99s directive did not envision the existence of items such as the tablet\ncomputer. Accordingly, Management is updating the directive to be more consistent with its\noriginal intent 10 and to reflect advances in technology.\n\nPurchase Was Not Abusive or Fraudulent\n\nManagement disagrees that the iPad 2 purchase fits into the definition applied from GAO Report\n08-833 that the purchase was abusive, meaning it was either excessive or of questionable need.\nManagement also disagrees that the purchase was fraudulent and intended for personal use.\n\nEvaluating and recommending information technology (IT) equipment and solutions is an\nintegral part of the Office of Information & Technology Services\xe2\x80\x99 (EXIT\xe2\x80\x99s) mission to implement\nand operate an IT infrastructure that helps the agency\xe2\x80\x99s program areas meet their goals. iPads,\nother tablets, and smart phones are evolving at an extremely rapid pace. Although they have\nbecome pervasive across business and government, they do not always mesh neatly into an\nexisting IT infrastructure. At any given time, EXIT is actively reviewing and testing many\ndifferent information technology solutions.\n\nAll IT initiatives that involve product selection and implementation also involve risk. EXIT\nattempts to mitigate that risk by rigorously testing any technology being considered. When\npossible, EXIT attempts to acquire evaluation units from vendors at no cost and on a temporary\nbasis. When EXIT cannot acquire evaluation units and when the cost of the evaluation suite is\nrelatively small, as was the $2,400 cost for the three iPad 2s, EXIT procures the equipment as an\nexpediency. EXIT also purchases units when the evaluation is likely to be of an undetermined\nperiod.\n5\n  Id.\n6\n  Id. at 3.\n7\n  OMB A 123, appendix B sec. 4.6, states that \xe2\x80\x9cunauthorized purchases consist of items that are\nintentionally purchased and are outside of the cardholder\xe2\x80\x99s purchasing authority.\xe2\x80\x9d (emphasis added).\nSince the CPSC directive did not prohibit the cardholder from making the purchase of the iPads, the\npurchase was not \xe2\x80\x9coutside of the cardholder\xe2\x80\x99s purchasing authority\xe2\x80\x9d and thus, there is no unauthorized\npurchase.\n8\n  See OGC memo at 4.\n9\n  See id.\n10\n   The prohibition of using purchase cards for telecommunications was intended to ensure that employees\nused Federal Telecommunications Services (FTS) cards when making voice calls and not purchase cards.\n\n                                                  2\n\x0cEXIT\xe2\x80\x99s approach with respect to the evaluation of new technology, such as the iPad 2, has been\nfocused on CPSC\xe2\x80\x99s business needs. EXIT included requirements unique to tablet computers and\nsmart phone devices as part of the Headquarters wireless network implementation. EXIT also\nreviews the application integration capabilities of these devices to see how they can be used\nwith CPSC\xe2\x80\x99s existing office automation suite and potentially as tools for field and import\ninvestigators, where a tablet solution appears to afford great utility. The plan was to have\nimplemented the wireless solution last fall, but because of technical problems that the vendor\nwas slow in addressing, the project was delayed. EXIT did continue other types of reviews with\nthe products, such as a Shortel app, a VPN app, several calendar apps, word processing apps,\nand utility programs, such as One Note. Staff also met with several vendors to determine how\nthey have addressed the security requirements in the Federal Information Processing Standard\nPublication 140-2. Staff\xe2\x80\x99s review addressed two factor authentication, VPN connection, and data\nencryption. Currently, staff is testing the devices to determine how well they fit into CPSC\xe2\x80\x99s\narchitecture.\n\nIn order to test the iPad 2 as staff would use them in production, EXIT purchased the model with\n3G capability, a requirement for field and import investigators. Staff purchased the 64GB units\nbecause the devices need to be able to support the document and image storage requirements\nof an investigator. These requirements include being able to download information prior to\ngoing on site to conduct an investigation as well as the ability to add large amounts of data to\nthe device when gathering facts during an investigation. The smaller units with only 16GB or\n32GB of memory, which cost about $200 less than the 64GB units, would not meet the needs of\nthe investigators. Thus, Management does not consider the purchase of the 64 GB version to be\nexcessive or unwarranted.\n\nEXIT has a small staff for the level of work required. EXIT managers and supervisors play\nimportant roles above and beyond their management duties. At the CPSC, the Chief Information\nOfficer (CIO) performs many of the functions performed by the Chief Technical Officer in a larger\nagency. The CIO had full responsibility for the recommendation to evaluate the iPad 2 and\ncontinues to drive the tablet computer\xe2\x80\x99s evaluation for suitability at CPSC. The CIO is also the\nfunctioning Program Manager for CPSRMS and is integrally involved in product selection,\ntesting, and purchase. Because of his involvement in every IT initiative at CPSC, he uniquely is\npositioned to review all requirements in the systems that EXIT implements. The CIO, Deputy CIO,\nand senior supervisor who tested the devices represent a wide range user types. The senior\nsupervisor, EXIT\xe2\x80\x99s Director of Technical Services, is extremely well versed in networking and\nsecurity challenges. The Deputy CIO has knowledge of the agency\xe2\x80\x99s program areas and brings a\nfirm understanding of their needs at many levels. The CIO, as noted, is CPSC\xe2\x80\x99s chief technology\nofficer. The CIO works most closely with the Deputy CIO and the Director of Technical Services\non a daily basis and is able to assign them areas for evaluation that helped test the units.\n\nBased on these factors, Management does not believe that the purchase of the iPad 2s was\nexcessive\xe2\x80\x94the purchase is justified by the business needs of the agency. Management also does\nnot believe that the iPad 2s were purchased for questionable need or personal use; rather, they\nwere part of an ongoing review of application integration capabilities to determine how\nemerging technology can be used with CPSC\xe2\x80\x99s existing office automation suite, and potentially,\nas tools for field and import investigators where a tablet solution appears to afford great utility.\n\n\n                                                 3\n\x0cFor these reasons, Management does not consider the purchase of the iPad 2s to be abusive or\nfraudulent.\n\nMonitoring of Purchase Card Program\n\nManagement accepts the recommendation that an oversight program be established in the\nDivision of Financial Services (FMFS); however, given that the purchase was proper, an oversight\nprogram would not have identified the purchase as improper.\n\nThe GSA guidance and criteria for identifying fraud or misuse of purchase cards are as follows:\n\n    \xe2\x80\xa2   Purchases that exceed the cardholder\xe2\x80\x99s limit,\n    \xe2\x80\xa2   Purchases not authorized by the agency,\n    \xe2\x80\xa2   Purchases for which no funding exists,\n    \xe2\x80\xa2   Purchases for personal consumption,\n    \xe2\x80\xa2   Purchases that do not comply with the FAR and/or other applicable procurement\n        statutes and regulations, and\n    \xe2\x80\xa2   Purchases billed by the merchant but not received by the agency.\n\nThe purchase card transaction for the iPad 2s does not meet the GSA criteria for fraud or\nmisuse. In addition, the iPad 2 purchase is in compliance with the CPSC\xe2\x80\x99s\nApproval/Authorization requirements. There was supporting documentation for the purchase\ncard transaction and items were delivered to the CPSC business address. The items were\nreceived on July 21, 2011, and assigned barcodes on September 20, 2011 (one iPad 2) and on\nSeptember 28, 2011 (two iPad 2s).\n\nFurthermore, the iPad 2 purchase is in compliance with the GSA Blueprint for Successful\nPurchase Card Oversight, meeting the requirements for card usage, documentation, and\nprocessing, so had FMFS used that as a guide, the purchase would have been deemed proper\nand thus, not flagged for further review.\n\nManagement does agree that the iPad 2s should have been entered into the Property\nManagement System in a timelier manner and is reviewing its standard operating procedures to\ncorrect that issue.\n\nResponse to Recommendations\n\nBased on the guidance provided by OMB and GAO, and the legal determinations of CPSC\xe2\x80\x99s OGC,\nManagement does not agree that the purchase of the iPad 2s was improper, unauthorized, or\nabusive. Management also does not agree that due to the lack of documentation supporting\ngovernment need, the purchase created the perception that it was for a fraudulent purpose.\nThus, Management does not accept the recommendation to hold the official who\napproved/certified the purchase of the iPad 2s personally financially liable for the full amount of\nthe purchase of the devices.\n\nManagement accepts the recommendation that an oversight program should be established\nwithin FMFS. FMFS will set up procedures to periodically review purchases to determine if any\nappear to be improper, outside the scope of business use for the organization, or fraudulent.\n\n                                                 4\n\x0cManagement also agrees to review and revise as necessary its standard operating procedures to\nensure that property is entered timely into the Property Management System.\n\n\n\n\n5/30/2012\n\nAttachment A: OGC memo\n\n\n\n\n                                              5\n\x0c                                                                                                           Attachment A\n\n\n\n\n                     U. S . CO NS UME R P RO DUCT S A FE TY CO MMI S S I O N\n                                    B ET HE S DA , MD 20 8 14\n\n\nMEMORANDUM                                               May 29, 2012\n\nTO:                 Kenneth R. Hinson, Executive Director\n\nTHROUGH: Cheryl A. Falvey, General Counsel\n         Mary T. Boyle, Acting Deputy General Counsel\n         Melissa D. Buford, Assistant General Counsel for General Law\n\nFROM:               Pamela L. Brinker, Attorney, General Law Division\n\nSUBJECT:            Purchase Card Use for iPads\n\n                                                            ISSUES\n\n     1) Is the purchase of an iPad 2 using a CPSC purchase card permitted by CPSC policy?\n     2) Based on the purchase documentation, was the purchase of the three iPad 2s proper under the\n        criteria established in OMB A 123, appendix B?\n     3) Based on the purchase documentation, was the purchase of an iPad 2 appropriately authorized\n        under OMB A 123, appendix B?\n\n\n                                                          ANSWERS\n\n      1) While not expressly permitted, the purchase card Directive does not prohibit the purchase of\n         the iPad 2 because it is a hybrid device that combines telecommunications features with\n         traditional computer functions.\n      2) Yes. Given the lack of clarity in the CPSC directive regarding hybrid devices, the purchase of\n         the iPads is not prohibited, and thus, the purchases were not improper under the criteria\n         established in OMB Circular A123, appendix B.\n      3) Yes. Given the lack of clarity in the CPSC directive regarding hybrid devices, the purchases\n         were not prohibited by the CPSC Directive, and thus, they were appropriately authorized under\n         the OMB Circular.\n\n                                                        DISCUSSION\n\n        The CPSC purchase card Directive permits the purchase of computer hardware, but does not\npermit the purchase of a telecommunications device. 1 Thus, to assess whether the iPad purchase was\n\n\n1\n    The CPSC purchase card directive (1540.1, paragraph 11) prohibits the use of the card to purchase telecommunications.\n\n\n                               CPSC Hotline: 1-800-638-CPSC(2772) CPSC's Web Site: http://www.cpsc.gov\n\x0c2\n\n\n\npermissible under the purchase card Directive, we must determine whether the iPad is computer\nhardware or whether it is a telecommunication device.\n\n        According to Webster\xe2\x80\x99s Dictionary and Wikipedia, telecommunication is defined as\n\xe2\x80\x9ccommunication at a distance\xe2\x80\x9d and \xe2\x80\x9ctechnology that deals with telecommunication.\xe2\x80\x9d Wikipedia notes\nfurther that email and other transmission of data via the internet technically constitutes\ntelecommunication. Webster\xe2\x80\x99s dictionary defines \xe2\x80\x9ccomputer\xe2\x80\x9d as \xe2\x80\x9ca programmable usually electronic\ndevice that can store, retrieve, and process data.\xe2\x80\x9d Initially, computer hardware consisted of desktop\ncomputers that employees could not transport, a bright line that made the demarcation between\ncomputer hardware and telecommunication devices relatively straightforward. However, as\ntechnology progressed, laptop computers incorporated telecommunication features, allowing\nemployees to work from remote locations, thereby blurring the line between telecommunication\ndevices and traditional computers. At the CPSC, this line was further blurred when employee laptops\nwere equipped with Shoretel telephone features, providing a traditional telecommunications attribute\xe2\x80\x94\ntelephone capability\xe2\x80\x94 through a portable computer.\n\n        Building on the laptop concept, technological advances led to the development of even smaller\nand lighter computer systems known as tablet computers. Wikipedia defines \xe2\x80\x9ctablet computers\xe2\x80\x9d as \xe2\x80\x9ca\nmobile computer\xe2\x80\x9d that is \xe2\x80\x9cintegrated into a flat touch screen and primarily operated by touching the\nscreen rather than using a physical keyboard.\xe2\x80\x9d 2 Wikipedia defines the iPad as a tablet computer, 3 that\nis used \xe2\x80\x9cprimarily as a platform for audio-visual media including books, periodicals, movies, music,\ngames, apps and web content.\xe2\x80\x9d The iPad is a small and lightweight device that allows an employee to\naccess files, edit documents, create forms, take notes, create invoices, analyze reports, brainstorm\nideas, and create presentations. These are clearly functions traditionally performed by computer\nhardware. Apple does not define its iPad 2 as either a telecommunication device or tablet computer,\nadvertising it as performing functions traditional to both a computer and a telecommunication device. 4\nThus, with the advent of the tablet computer, the dividing line between telecommunication devices and\ncomputer hardware became even less clear. Indeed, all computer hardware currently incorporates\nsome telecommunication aspects. 5\n\n        Although the iPad 2 performs traditional computer hardware functions, it also contains many\ntelecommunications features, underscoring the hybrid nature of a product that does not fall squarely\ninto the definition of either computer hardware or a telecommunication device. For example, iPads\ncan run on wireless internet, a 3G cellular network, or third generation mobile telecommunication, 6\nfacts that place it in the telecommunication realm. The iPad can also perform traditional\ntelecommunication tasks such as allowing an employee to connect to the office to participate in a\nmeeting or give a presentation remotely, functions that are also available on a laptop computer.\nAdditionally, the device operates on iOS, an operating system designed specifically for mobile\n\n\n2\n  Although Wikipedia may seem like an unreliable source to be citing in a legal memorandum, Webster\xe2\x80\x99s Dictionary, which\ncourts turn to for ordinary dictionary meaning of terms, does not define tablet computer.\n3\n  See Wikipedia definition.\n4\n  See http://www.apple.com/ipad/built-in-apps/ (claiming the device is good for messaging, reminders, calendar, music,\nemail, web browser, photos, tweeting, reading, video calls, and maps.)\n5\n Email, Skype, and webcasts are examples.\n6\n  The iPad 2 had 3G capabilities; however, the newest model, the iPad 3, runs on 4G so Apple, AT&T and Verizon sites\noften reference 4G but it is, for our purposes, interchangeable as both are cellular networks.\n\x0c3\n\n\n\ntelecommunications devices 7 and can be operated on the third generation mobile telecommunication\n(3G cellular) network. 8\n\n\n        The iPad 2 comes in a variety of models including models that only transmit data through a\nwireless internet connection and models that have the ability to transmit data through both a wireless\ninternet connection and 3G cellular networks. Both types of models are available in 16 gigabytes, 32\ngigabytes, or 64 gigabytes. The CPSC purchased the 64 gigabyte model with both wireless internet\nand 3G capabilities. The purchase of the more expensive device with 3G capabilities suggests that the\nemployees intended to use the devices on the 3G cellular network. To operate any of the applications\nthat require internet or to download additional applications without using wireless internet, the user\nmust use a 3G cellular network. If the iPad has 3G capability, the user may purchase a data plan from\nthe appropriate carrier. 9 Both carriers use 3G as their cellular network. 10 There is no indication as to\nwhether the CPSC actually purchased 3G data plans for the devices. However, because the CPSC does\nnot currently have wireless internet capability and the iPad cannot be hooked up to landline internet,\nthe devices would have needed a 3G cellular network at CPSC headquarters for any tasks requiring\ninternet access. Absent a 3G cellular network, the employees would have been unable to download\nany application, which would prevent the iPad from being used productively for CPSC business. 11\nThe recent announcement that CPSC intended to acquire wireless capability at headquarters suggests\nthat such a plan was contemplated at some point. The timing as to when staff began developing\nwireless plans for headquarters would be relevant to this inquiry particularly in light of the employees\xe2\x80\x99\nstatement that they wanted to test the device within the existing technology architecture. If the devices\nwere used at other locations to access wireless internet, that would weaken the argument that they were\nbeing used to test the current CPSC infrastructure. At the same time, if the iPads were used no\ndifferently than laptop computers, even at a remote location, it is hard to parse the difference between\nthe two products given the amorphous blend of functions and features created by technological\nadvances. 12\n\n        Accordingly, in light of the fluid definitions of telecommunication and computers as well as\nevolving technologies, the purchase of an iPad falls within a gray area not contemplated by the\nDirective. While it would have been prudent for staff to have sought guidance prior to making the\npurchase, the Directive does not definitively forbid the purchase of iPads, which are an amalgam of\ntechnologies and functions that fall between the clearly permissible\xe2\x80\x94computer hardware\xe2\x80\x94and the\nclearly prohibited\xe2\x80\x94telecommunications devices. Thus, the use of the purchase card to purchase\nthese devices, while not expressly permitted, is also not expressly prohibited by CPSC Directive\n1540.1 as written.\n\n\n7\n  http://www.apple.com/ipad/ios/.\n8\n  http://www.apple.com/ipad/specs/.\n9\n  IPads with 3G are specifically designed to either operate on the Verizon or AT&T cellular networks. See\nhttp://www.att.com/ipad/?fbid=Ih2ovXRcwKg and http://www.verizonwireless.com/b2c/device/tablet/ipad for the data\nplans offered.\n10\n   Again, at the time it was 3G, currently it is 4G.\n11\n   The applications that come installed on the device that do not require internet would not be beneficial to the agency.\n12\n   The purchaser and recipients of the devices are technology experts and would recognize that the 3G capability was\npresent and since no effort was made to return or exchange the device for wifi only models, it can only be assumed the\nrecipients intended to procure the telecommunications features inherent in the high-end model they purchased.\n\x0c4\n\n\n\n        OMB states that \xe2\x80\x9cunauthorized purchases consist of items that are intentionally purchased and\nare outside of the cardholder\xe2\x80\x99s purchasing authority.\xe2\x80\x9d 13 The iPads were intentionally purchased but,\nas hybrid telecommunication devices not contemplated by the Directive, cannot be deemed to fall\noutside the cardholder\xe2\x80\x99s purchasing authority pursuant to CPSC Directive 1540.1. Accordingly, the\niPads were not unauthorized pursuant to the OMB Circular. Further, since the purchase was not\nunauthorized, the purchase was also not an improper purchase under the OMB Circular. 14\n\n        In addition to the issues discussed above, one other potential area of concern involves the\ninadequate property management process applied to the iPad purchase. The iPads were provided\nbarcodes, one on September 20, 2011 and two on September 28, 2011, but were not properly entered\ninto the Property Management System. Entering the devices into the Property Management System\nentails a formal process that is more involved than merely equipping property with barcodes.\nMoreover, because the items were purchased together, it is reasonable to assume they were also\nreceived simultaneously. Yet, they were barcoded eight days apart. If that were a mere oversight, it\nraises the question as to how the same mistake could occur on two separate occasions (September 20\nand 28). Finally, the items were purchased on July 21, 2011, yet they were not barcoded until two\nmonths later, on September 20th and 28th. These apparent failures in process raise serious concerns that\nwarrant further attention.\n\n\n                                                       CONCLUSION\n\n        In light of technological advances, the Directive provides insufficient direction as to how to\ndistinguish between permissible and prohibited purchases of hybrid products that incorporate both\ncomputer and telecommunication features. Given the dual features of the iPads, their purchase, while\nnot expressly permitted, was also not expressly prohibited by the Directive. In light of the fact that the\niPads offer computer functions that make it comparable to laptops in many respects, it was not\nunreasonable for the EXIT Director, the staff member in the Agency most knowledgeable about\ntechnology, to conclude that this was a permissible computer purchase under the Directive. Because\nthe directive is outdated, it should be rewritten to address the technological advances that have made\nthe bright line distinction between telecommunication and computer hardware a false dichotomy.\n\n\n\n\n13\n     OMB A 123, appendix B sec. 4.6.\n14\n     See Id. (finding that an \xe2\x80\x9cimproper purchase can be one of two types: 1) unauthorized or 2) incorrect.\xe2\x80\x9d\n\x0c"